system {dhcp server | dhcp6 server}
Configure DHCP servers used to assign IP settings, including IP addresses, to devices connected to a FortiGate interface.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
| Command | Description |
|---|---|
|
set tftp-server <string> [<string>] |
Multiple IP addresses or hostnames can now be entered, with each entry separated by a space. |
|
config prefix-range edit <id> set start-prefix <prefix> set end-prefix <prefix> set prefix-length <length> next ... |
Configure a range for DHCPv6 server prefix delegation. Add a prefix range (starting and ending prefixes) and a prefix length, which determines the length of the prefix that the FortiGate sends downstream. |
config system dhcp server
edit {id}
# Configure DHCP servers.
set id {integer} ID. range[0-4294967295]
set status {disable | enable} Enable/disable this DHCP configuration.
set lease-time {integer} Lease time in seconds, 0 means unlimited. range[300-8640000]
set mac-acl-default-action {assign | block} MAC access control default action (allow or block assigning IP settings).
assign Allow the DHCP server to assign IP settings to clients on the MAC access control list.
block Block the DHCP server from assigning IP settings to clients on the MAC access control list.
set forticlient-on-net-status {disable | enable} Enable/disable FortiClient-On-Net service for this DHCP server.
set dns-service {local | default | specify} Options for assigning DNS servers to DHCP clients.
local IP address of the interface the DHCP server is added to becomes the client's DNS server IP address.
default Clients are assigned the FortiGate's configured DNS servers.
specify Specify up to 3 DNS servers in the DHCP server configuration.
set dns-server1 {ipv4 address} DNS server 1.
set dns-server2 {ipv4 address} DNS server 2.
set dns-server3 {ipv4 address} DNS server 3.
set wifi-ac1 {ipv4 address} WiFi Access Controller 1 IP address (DHCP option 138, RFC 5417).
set wifi-ac2 {ipv4 address} WiFi Access Controller 2 IP address (DHCP option 138, RFC 5417).
set wifi-ac3 {ipv4 address} WiFi Access Controller 3 IP address (DHCP option 138, RFC 5417).
set ntp-service {local | default | specify} Options for assigning Network Time Protocol (NTP) servers to DHCP clients.
local IP address of the interface the DHCP server is added to becomes the client's NTP server IP address.
default Clients are assigned the FortiGate's configured NTP servers.
specify Specify up to 3 NTP servers in the DHCP server configuration.
set ntp-server1 {ipv4 address} NTP server 1.
set ntp-server2 {ipv4 address} NTP server 2.
set ntp-server3 {ipv4 address} NTP server 3.
set domain {string} Domain name suffix for the IP addresses that the DHCP server assigns to clients. size[35]
set wins-server1 {ipv4 address} WINS server 1.
set wins-server2 {ipv4 address} WINS server 2.
set default-gateway {ipv4 address} Default gateway IP address assigned by the DHCP server.
set next-server {ipv4 address} IP address of a server (for example, a TFTP sever) that DHCP clients can download a boot file from.
set netmask {ipv4 netmask} Netmask assigned by the DHCP server.
set interface {string} DHCP server can assign IP configurations to clients connected to this interface. size[15] - datasource(s): system.interface.name
config ip-range
edit {id}
# DHCP IP range configuration.
set id {integer} ID. range[0-4294967295]
set start-ip {ipv4 address} Start of IP range.
set end-ip {ipv4 address} End of IP range.
next
set timezone-option {disable | default | specify} Options for the DHCP server to set the client's time zone.
disable Do not set the client's time zone.
default Clients are assigned the FortiGate's configured time zone.
specify Specify the time zone to be assigned to DHCP clients.
set timezone {option} Select the time zone to be assigned to DHCP clients.
01 (GMT-11:00) Midway Island, Samoa
02 (GMT-10:00) Hawaii
03 (GMT-9:00) Alaska
04 (GMT-8:00) Pacific Time (US & Canada)
05 (GMT-7:00) Arizona
81 (GMT-7:00) Baja California Sur, Chihuahua
06 (GMT-7:00) Mountain Time (US & Canada)
07 (GMT-6:00) Central America
08 (GMT-6:00) Central Time (US & Canada)
09 (GMT-6:00) Mexico City
10 (GMT-6:00) Saskatchewan
11 (GMT-5:00) Bogota, Lima,Quito
12 (GMT-5:00) Eastern Time (US & Canada)
13 (GMT-5:00) Indiana (East)
74 (GMT-4:00) Caracas
14 (GMT-4:00) Atlantic Time (Canada)
77 (GMT-4:00) Georgetown
15 (GMT-4:00) La Paz
87 (GMT-4:00) Paraguay
16 (GMT-3:00) Santiago
17 (GMT-3:30) Newfoundland
18 (GMT-3:00) Brasilia
19 (GMT-3:00) Buenos Aires
20 (GMT-3:00) Nuuk (Greenland)
75 (GMT-3:00) Uruguay
21 (GMT-2:00) Mid-Atlantic
22 (GMT-1:00) Azores
23 (GMT-1:00) Cape Verde Is.
24 (GMT) Monrovia
80 (GMT) Greenwich Mean Time
79 (GMT) Casablanca
25 (GMT) Dublin, Edinburgh, Lisbon, London
26 (GMT+1:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
27 (GMT+1:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague
28 (GMT+1:00) Brussels, Copenhagen, Madrid, Paris
78 (GMT+1:00) Namibia
29 (GMT+1:00) Sarajevo, Skopje, Warsaw, Zagreb
30 (GMT+1:00) West Central Africa
31 (GMT+2:00) Athens, Sofia, Vilnius
32 (GMT+2:00) Bucharest
33 (GMT+2:00) Cairo
34 (GMT+2:00) Harare, Pretoria
35 (GMT+2:00) Helsinki, Riga, Tallinn
36 (GMT+2:00) Jerusalem
37 (GMT+3:00) Baghdad
38 (GMT+3:00) Kuwait, Riyadh
83 (GMT+3:00) Moscow
84 (GMT+3:00) Minsk
40 (GMT+3:00) Nairobi
85 (GMT+3:00) Istanbul
41 (GMT+3:30) Tehran
42 (GMT+4:00) Abu Dhabi, Muscat
43 (GMT+4:00) Baku
39 (GMT+3:00) St. Petersburg, Volgograd
44 (GMT+4:30) Kabul
46 (GMT+5:00) Islamabad, Karachi, Tashkent
47 (GMT+5:30) Kolkata, Chennai, Mumbai, New Delhi
51 (GMT+5:30) Sri Jayawardenepara
48 (GMT+5:45) Kathmandu
45 (GMT+5:00) Ekaterinburg
49 (GMT+6:00) Almaty, Novosibirsk
50 (GMT+6:00) Astana, Dhaka
52 (GMT+6:30) Rangoon
53 (GMT+7:00) Bangkok, Hanoi, Jakarta
54 (GMT+7:00) Krasnoyarsk
55 (GMT+8:00) Beijing, ChongQing, HongKong, Urumgi, Irkutsk
56 (GMT+8:00) Ulaan Bataar
57 (GMT+8:00) Kuala Lumpur, Singapore
58 (GMT+8:00) Perth
59 (GMT+8:00) Taipei
60 (GMT+9:00) Osaka, Sapporo, Tokyo, Seoul
62 (GMT+9:30) Adelaide
63 (GMT+9:30) Darwin
61 (GMT+9:00) Yakutsk
64 (GMT+10:00) Brisbane
65 (GMT+10:00) Canberra, Melbourne, Sydney
66 (GMT+10:00) Guam, Port Moresby
67 (GMT+10:00) Hobart
68 (GMT+10:00) Vladivostok
69 (GMT+10:00) Magadan
70 (GMT+11:00) Solomon Is., New Caledonia
71 (GMT+12:00) Auckland, Wellington
72 (GMT+12:00) Fiji, Kamchatka, Marshall Is.
00 (GMT+12:00) Eniwetok, Kwajalein
82 (GMT+12:45) Chatham Islands
73 (GMT+13:00) Nuku'alofa
86 (GMT+13:00) Samoa
76 (GMT+14:00) Kiritimati
config tftp-server
edit {tftp-server}
# One or more hostnames or IP addresses of the TFTP servers in quotes separated by spaces.
set tftp-server {string} TFTP server. size[63]
next
set filename {string} Name of the boot file on the TFTP server. size[127]
config options
edit {id}
# DHCP options.
set id {integer} ID. range[0-4294967295]
set code {integer} DHCP option code. range[0-255]
set type {hex | string | ip | fqdn} DHCP option type.
hex DHCP option in hex.
string DHCP option in string.
ip DHCP option in IP.
fqdn DHCP option in domain search option format.
set value {string} DHCP option value. size[312]
set ip {string} DHCP option IPs.
next
set server-type {regular | ipsec} DHCP server can be a normal DHCP server or an IPsec DHCP server.
regular Regular DHCP service.
ipsec DHCP over IPsec service.
set ip-mode {range | usrgrp} Method used to assign client IP.
range Use range defined by start-ip/end-ip to assign client IP.
usrgrp Use user-group defined method to assign client IP.
set conflicted-ip-timeout {integer} Time in seconds to wait after a conflicted IP address is removed from the DHCP range before it can be reused. range[60-8640000]
set ipsec-lease-hold {integer} DHCP over IPsec leases expire this many seconds after tunnel down (0 to disable forced-expiry). range[0-8640000]
set auto-configuration {disable | enable} Enable/disable auto configuration.
set ddns-update {disable | enable} Enable/disable DDNS update for DHCP.
set ddns-update-override {disable | enable} Enable/disable DDNS update override for DHCP.
set ddns-server-ip {ipv4 address} DDNS server IP.
set ddns-zone {string} Zone of your domain name (ex. DDNS.com). size[64]
set ddns-auth {disable | tsig} DDNS authentication mode.
disable Disable DDNS authentication.
tsig TSIG based on RFC2845.
set ddns-keyname {string} DDNS update key name. size[64]
set ddns-key {string} DDNS update key (base 64 encoding).
set ddns-ttl {integer} TTL. range[60-86400]
set vci-match {disable | enable} Enable/disable vendor class identifier (VCI) matching. When enabled only DHCP requests with a matching VCI are served.
config vci-string
edit {vci-string}
# One or more VCI strings in quotes separated by spaces.
set vci-string {string} VCI strings. size[255]
next
config exclude-range
edit {id}
# Exclude one or more ranges of IP addresses from being assigned to clients.
set id {integer} ID. range[0-4294967295]
set start-ip {ipv4 address} Start of IP range.
set end-ip {ipv4 address} End of IP range.
next
config reserved-address
edit {id}
# Options for the DHCP server to assign IP settings to specific MAC addresses.
set id {integer} ID. range[0-4294967295]
set ip {ipv4 address} IP address to be reserved for the MAC address.
set mac {mac address} MAC address of the client that will get the reserved IP address.
set action {assign | block | reserved} Options for the DHCP server to configure the client with the reserved MAC address.
assign Configure the client with this MAC address like any other client.
block Block the DHCP server from assigning IP settings to the client with this MAC address.
reserved Assign the reserved IP address to the client with this MAC address.
set description {string} Description. size[255]
next
next
end
config system dhcp6 server
edit {id}
# Configure DHCPv6 servers.
set id {integer} ID. range[0-4294967295]
set status {disable | enable} Enable/disable this DHCPv6 configuration.
set rapid-commit {disable | enable} Enable/disable allow/disallow rapid commit.
set lease-time {integer} Lease time in seconds, 0 means unlimited. range[300-8640000]
set dns-service {delegated | default | specify} Options for assigning DNS servers to DHCPv6 clients.
delegated Delegated DNS settings.
default Clients are assigned the FortiGate's configured DNS servers.
specify Specify up to 3 DNS servers in the DHCPv6 server configuration.
set dns-search-list {delegated | specify} DNS search list options.
delegated Delegated the DNS search list.
specify Specify the DNS search list.
set dns-server1 {ipv6 address} DNS server 1.
set dns-server2 {ipv6 address} DNS server 2.
set dns-server3 {ipv6 address} DNS server 3.
set domain {string} Domain name suffix for the IP addresses that the DHCP server assigns to clients. size[35]
set subnet {ipv6 prefix} Subnet or subnet-id if the IP mode is delegated.
set interface {string} DHCP server can assign IP configurations to clients connected to this interface. size[15] - datasource(s): system.interface.name
set option1 {string} Option 1.
set option2 {string} Option 2.
set option3 {string} Option 3.
set upstream-interface {string} Interface name from where delegated information is provided. size[15] - datasource(s): system.interface.name
set ip-mode {range | delegated} Method used to assign client IP.
range Use range defined by start IP/end IP to assign client IP.
delegated Use delegated prefix method to assign client IP.
config prefix-range
edit {id}
# DHCP prefix configuration.
set id {integer} ID. range[0-4294967295]
set start-prefix {ipv6 address} Start of prefix range.
set end-prefix {ipv6 address} End of prefix range.
set prefix-length {integer} Prefix length. range[1-128]
next
config ip-range
edit {id}
# DHCP IP range configuration.
set id {integer} ID. range[0-4294967295]
set start-ip {ipv6 address} Start of IP range.
set end-ip {ipv6 address} End of IP range.
next
next
end
status {disable | enable}
Enable or disable this DHCP server, default is enable.
lease-time <integer>
Lease time in seconds, value between 300 and 8640000 ( 5 minutes to almost 100 days), 0 for unlimited lease time, default is 604800.
mac-acl-default-action {assign | block}
MAC access control default action. Set whether or not the DHCP server assigns network settings to a DHCP client with a MAC address that is on the MAC address control list.
assignallow the DHCP server to assign IP settings to a client on the MAC address control list.blockblock the DHCP from assigning IP settings to a client on the MAC address control list.
forticlient-on-net-status {disable | enable}
Enable or disable the FortiClient-On-Net service for this DHCP server, default is enable.
dns-service {local | default | specify}
How the DHCP clients are assigned DNS servers.
localIP address of the interface the DHCP server is added to becomes the client's DNS server IP address.defaultIP addresses of the DNS servers added to the FortiGate configuration become the client's DNS server IP addresses.specifyspecify up to 3 DNS servers in the DHCP server configuration.
dns-server1 <ip>
Set the IP address of DNS server(s) which will be used by DHCP clients, up to three DNS servers (dns-server1, dns-server2, and dns-server3).
wifi-ac1 <ip>
Set the IP address of up to three WiFi Access Controller(s) (wifi-ac1, wifi-ac2, and wifi-ac3). For DHCP option 138 to use DHCP to send WiFi access controller IP addresses to Wireless Termination Points (WTPs) (RFC 5417).
ntp-service {local | default | specify}
How the DHCP clients are assigned Network Time Protocol (NTP) servers.
localIP address of the interface the DHCP server is added to becomes the client's NTP server IP address.defaultIP addresses of the NTP servers added to the FortiGate configuration become the client's NTP server IP addresses.specifyspecify up to 3 NTP servers in the DHCP server configuration.
ntp-server1 <ip>
Set the IP address of NTP server(s), up to three NTP servers (ntp-server1, ntp-server2, and ntp-server3).
domain <string>
Domain name suffix for the IP addresses that the DHCP server assigns to clients.
wins-server1 <ip>
Set the IP address of WINS server(s), up to two WINS servers (wins-server1, and wins-server2).
default-gateway <ip>
The default gateway IP address that will be used by DHCP clients as their default gateway.
next-server <ip>
The IP address of the next bootstrap server. Add an IP address if you are using a secondary DHCP server to assign IP configuration options.
netmask <netmask>
The netmask assigned by the DHCP server
interface <interface-name>
The DHCP server can assign IP configurations to DHCP clients connected to this interface.
config ip-range
DHCP IP range configuration.
start-ip <ip>
The first IP of the range.
end-ip <ip>
The last IP of the range.
timezone-option {disable | default | specify}
How the DHCP server sets the client's time zone.
disabledo not set the client's time zone.defaultDHCP clients are assigned the FortiGate's configured time zone.specifyspecify the time zone to be assigned to DHCP clients.
timezone <timezone-number>
Select the time zone that the DHCP server assigns to DHCP clients. Available if timezone-option is set to specify.
tftp-server <string> [<string>]
Hostnames or IP addresses of one or more TFTP servers.
filename <string>
The file name on the tftp server.
config options
The DHCP options configuration.
code <integer>
The option's code for DHCP, see RFC 2132 for more details.
type {hex | string | ip}
DHCP option in hexadecimal, string, or IP, default is hex.
value <string>
The value is specified as a single octet. Values are available per option, see RFC 2132 for more details.
server-type {regular | ipsec}
Regular DHCP service or DHCP over IPsec services.
conflicted-ip-timeout <integer>
The time in seconds to wait after a conflicted IP address is removed from the DHCP range before it can be reused. Value between 60 to 8640000 seconds (1 minute to 100 days), default is 1800.
auto-configuration {disable | enable}
Disable or enable auto configuration, default is enable.
ddns-update {disable | enable}
Disable or enable Dynamic DNS update for DHCP, default is disable.
vci-match {disable | enable}
Disable or enable vendor class identifier (VCI) matching. When enabled only DHCP requests with a matching VCI string are served, default is disabled.
vci-string <strings>
One or more VCI strings in quotes and separated by spaces.
config exclude-range
DHCP exclude range configuration.
start-ip <ip>
The first IP of the excluded range.
end-ip <ip>
The last IP of the excluded range.
config reserved-address
How the DHCP server assigns IP settings to specific MAC addresses.
ip <ip>
The IP address to be reserved for the client with the MAC address. Only valid if action is set to reserved.
mac <mac-address>
MAC address of the client to be configured by the DHCP server according to the action.
action {assign | block | reserved}
How the DHCP server configures the client with the reserved MAC address.
assignthe DHCP server treats the client with this MAC address like any other client.blockblock the DHCP server from assigning IP settings to the client with this MAC address.reservedassign the reserved IP address to the client with this MAC address.
description <string>
Optionally describe the client with this MAC address.